-
- if (need_rand)
- app_RAND_load_file(NULL, bio_err, 0);
-
- ERR_load_crypto_strings();
-
- if (!app_passwd(bio_err, passargin, NULL, &passin, NULL))
- {
- BIO_printf(bio_err, "Error getting password\n");
- goto end;
- }
-
- if (!X509_STORE_set_default_paths(ctx))
- {
- ERR_print_errors(bio_err);
- goto end;
- }
-
- if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM))
- { CAkeyfile=CAfile; }
- else if ((CA_flag) && (CAkeyfile == NULL))
- {
- BIO_printf(bio_err,"need to specify a CAkey if using the CA command\n");
- goto end;
- }
-
- if (extfile)
- {
- long errorline = -1;
- X509V3_CTX ctx2;
- extconf = NCONF_new(NULL);
- if (!NCONF_load(extconf, extfile,&errorline))
- {
- if (errorline <= 0)
- BIO_printf(bio_err,
- "error loading the config file '%s'\n",
- extfile);
- else
- BIO_printf(bio_err,
- "error on line %ld of config file '%s'\n"
- ,errorline,extfile);
- goto end;
- }
- if (!extsect)
- {
- extsect = NCONF_get_string(extconf, "default", "extensions");
- if (!extsect)
- {
- ERR_clear_error();
- extsect = "default";
- }
- }
- X509V3_set_ctx_test(&ctx2);
- X509V3_set_nconf(&ctx2, extconf);
- if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL))
- {
- BIO_printf(bio_err,
- "Error Loading extension section %s\n",
- extsect);
- ERR_print_errors(bio_err);
- goto end;
- }
- }
-
-
- if (reqfile)
- {
- EVP_PKEY *pkey;
- X509_CINF *ci;
- BIO *in;
-
- if (!sign_flag && !CA_flag)
- {
- BIO_printf(bio_err,"We need a private key to sign with\n");
- goto end;
- }
- in=BIO_new(BIO_s_file());
- if (in == NULL)
- {
- ERR_print_errors(bio_err);
- goto end;
- }
-
- if (infile == NULL)
- BIO_set_fp(in,stdin,BIO_NOCLOSE|BIO_FP_TEXT);
- else
- {
- if (BIO_read_filename(in,infile) <= 0)
- {
- perror(infile);
- BIO_free(in);
- goto end;
- }
- }
- req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL);
- BIO_free(in);
-
- if (req == NULL)
- {
- ERR_print_errors(bio_err);
- goto end;
- }
-
- if ( (req->req_info == NULL) ||
- (req->req_info->pubkey == NULL) ||
- (req->req_info->pubkey->public_key == NULL) ||
- (req->req_info->pubkey->public_key->data == NULL))
- {
- BIO_printf(bio_err,"The certificate request appears to corrupted\n");
- BIO_printf(bio_err,"It does not contain a public key\n");
- goto end;
- }
- if ((pkey=X509_REQ_get_pubkey(req)) == NULL)
- {
- BIO_printf(bio_err,"error unpacking public key\n");
- goto end;
- }
- i=X509_REQ_verify(req,pkey);
- EVP_PKEY_free(pkey);
- if (i < 0)
- {
- BIO_printf(bio_err,"Signature verification error\n");
- ERR_print_errors(bio_err);
- goto end;
- }
- if (i == 0)
- {
- BIO_printf(bio_err,"Signature did not match the certificate request\n");
- goto end;
- }
- else
- BIO_printf(bio_err,"Signature ok\n");
-
- print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag);
-
- if ((x=X509_new()) == NULL) goto end;
- ci=x->cert_info;
-
- if (sno)
- {
- if (!X509_set_serialNumber(x, sno))
- goto end;
- }
- else if (!ASN1_INTEGER_set(X509_get_serialNumber(x),0)) goto end;
- if (!X509_set_issuer_name(x,req->req_info->subject)) goto end;
- if (!X509_set_subject_name(x,req->req_info->subject)) goto end;
-
- X509_gmtime_adj(X509_get_notBefore(x),0);
- X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days);
-
- pkey = X509_REQ_get_pubkey(req);
- X509_set_pubkey(x,pkey);
- EVP_PKEY_free(pkey);
- }
- else
- x=load_cert(bio_err,infile,informat,NULL,e,"Certificate");
-
- if (x == NULL) goto end;
- if (CA_flag)
- {
- xca=load_cert(bio_err,CAfile,CAformat,NULL,e,"CA Certificate");
- if (xca == NULL) goto end;
- }
-
- if (!noout || text)
- {
- OBJ_create("2.99999.3",
- "SET.ex3","SET x509v3 extension 3");
-
- out=BIO_new(BIO_s_file());
- if (out == NULL)
- {
- ERR_print_errors(bio_err);
- goto end;
- }
- if (outfile == NULL)
- {
- BIO_set_fp(out,stdout,BIO_NOCLOSE);
-#ifdef OPENSSL_SYS_VMS
- {
- BIO *tmpbio = BIO_new(BIO_f_linebuffer());
- out = BIO_push(tmpbio, out);
- }
+ case OPT_DATES:
+ startdate = ++num;
+ enddate = ++num;
+ break;
+ case OPT_CHECKEND:
+ checkend = 1;
+ {
+ intmax_t temp = 0;
+ if (!opt_imax(opt_arg(), &temp))
+ goto opthelp;
+ checkoffset = (time_t)temp;
+ if ((intmax_t)checkoffset != temp) {
+ BIO_printf(bio_err, "%s: checkend time out of range %s\n",
+ prog, opt_arg());
+ goto opthelp;
+ }
+ }
+ break;
+ case OPT_CHECKHOST:
+ checkhost = opt_arg();
+ break;
+ case OPT_CHECKEMAIL:
+ checkemail = opt_arg();
+ break;
+ case OPT_CHECKIP:
+ checkip = opt_arg();
+ break;
+ case OPT_PRESERVE_DATES:
+ if (days != DEF_DAYS)
+ goto opthelp;
+ preserve_dates = 1;
+ break;
+ case OPT_MD:
+ if (!opt_md(opt_unknown(), &digest))
+ goto opthelp;
+ }
+ }
+ argc = opt_num_rest();
+ argv = opt_rest();
+ if (argc != 0) {
+ BIO_printf(bio_err, "%s: Unknown parameter %s\n", prog, argv[0]);
+ goto opthelp;
+ }
+
+ if (!app_passwd(passinarg, NULL, &passin, NULL)) {
+ BIO_printf(bio_err, "Error getting password\n");
+ goto end;
+ }
+
+ if (!X509_STORE_set_default_paths(ctx)) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
+ if (newcert && infile != NULL) {
+ BIO_printf(bio_err, "The -in option must not be used since -new is set\n");
+ goto end;
+ }
+ if (newcert && fkeyfile == NULL) {
+ BIO_printf(bio_err,
+ "The -new option requires a public key to be set using -force_pubkey\n");
+ goto end;
+ }
+ if (fkeyfile != NULL) {
+ fkey = load_pubkey(fkeyfile, keyformat, 0, NULL, e, "Forced key");
+ if (fkey == NULL)
+ goto end;
+ }
+
+ if (newcert && subj == NULL) {
+ BIO_printf(bio_err,
+ "The -new option requires a subject to be set using -subj\n");
+ goto end;
+ }
+ if (subj != NULL && (fsubj = parse_name(subj, chtype, multirdn)) == NULL)
+ goto end;
+
+ if (CAkeyfile == NULL && CA_flag && CAformat == FORMAT_PEM) {
+ CAkeyfile = CAfile;
+ } else if (CA_flag && CAkeyfile == NULL) {
+ BIO_printf(bio_err,
+ "need to specify a CAkey if using the CA command\n");
+ goto end;
+ } else if (!CA_flag && CAkeyfile != NULL) {
+ BIO_printf(bio_err,
+ "ignoring -CAkey option since no -CA option is given\n");
+ }
+
+ if (extfile != NULL) {
+ X509V3_CTX ctx2;
+ if ((extconf = app_load_config(extfile)) == NULL)
+ goto end;
+ if (extsect == NULL) {
+ extsect = NCONF_get_string(extconf, "default", "extensions");
+ if (extsect == NULL) {
+ ERR_clear_error();
+ extsect = "default";
+ }
+ }
+ X509V3_set_ctx_test(&ctx2);
+ X509V3_set_nconf(&ctx2, extconf);
+ if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) {
+ BIO_printf(bio_err,
+ "Error Loading extension section %s\n", extsect);
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+
+ if (reqfile) {
+ EVP_PKEY *pkey;
+
+ req = load_csr(infile, informat, "certificate request input");
+ if (req == NULL)
+ goto end;
+
+ if ((pkey = X509_REQ_get0_pubkey(req)) == NULL) {
+ BIO_printf(bio_err, "error unpacking public key\n");
+ goto end;
+ }
+ i = do_X509_REQ_verify(req, pkey, vfyopts);
+ if (i < 0) {
+ BIO_printf(bio_err, "Request self-signature verification error\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ if (i == 0) {
+ BIO_printf(bio_err,
+ "Request self-signature did not match the certificate request\n");
+ goto end;
+ } else {
+ BIO_printf(bio_err, "Request self-signature ok\n");
+ }
+
+ print_name(bio_err, "subject=", X509_REQ_get_subject_name(req),
+ get_nameopt());
+ }
+
+ if (reqfile || newcert) {
+ X509_NAME *n;
+
+ if (!sign_flag && CAkeyfile == NULL) {
+ BIO_printf(bio_err,
+ "We need a private key to sign with, use -signkey or -CAkey or -CA <file> with private key\n");
+ goto end;
+ }
+ if ((x = X509_new()) == NULL)
+ goto end;
+
+ if (sno == NULL) {
+ sno = ASN1_INTEGER_new();
+ if (sno == NULL || !rand_serial(NULL, sno))
+ goto end;
+ if (!X509_set_serialNumber(x, sno))
+ goto end;
+ ASN1_INTEGER_free(sno);
+ sno = NULL;
+ } else if (!X509_set_serialNumber(x, sno)) {
+ goto end;
+ }
+
+ n = req == NULL ? fsubj : X509_REQ_get_subject_name(req);
+ if (!X509_set_issuer_name(x, n) || !X509_set_subject_name(x, n))
+ goto end;
+ if (!set_cert_times(x, NULL, NULL, days))
+ goto end;
+
+ if (!X509_set_pubkey(x, fkey != NULL ? fkey : X509_REQ_get0_pubkey(req)))
+ goto end;
+ } else {
+ x = load_cert(infile, FORMAT_UNDEF, "Certificate");
+ if (x == NULL)
+ goto end;
+ if (fkey != NULL && !X509_set_pubkey(x, fkey))
+ goto end;
+ if (fsubj != NULL && !X509_set_subject_name(x, fsubj))
+ goto end;
+ }
+
+ if (CA_flag) {
+ xca = load_cert(CAfile, CAformat, "CA Certificate");
+ if (xca == NULL)
+ goto end;
+ }
+
+ out = bio_open_default(outfile, 'w', outformat);
+ if (out == NULL)
+ goto end;
+
+ if (!noout || text || next_serial)
+ OBJ_create("2.99999.3", "SET.ex3", "SET x509v3 extension 3");
+
+ if (alias)
+ X509_alias_set1(x, (unsigned char *)alias, -1);
+
+ if (clrtrust)
+ X509_trust_clear(x);
+ if (clrreject)
+ X509_reject_clear(x);
+
+ if (trust != NULL) {
+ for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) {
+ objtmp = sk_ASN1_OBJECT_value(trust, i);
+ X509_add1_trust_object(x, objtmp);
+ }
+ objtmp = NULL;
+ }
+
+ if (reject != NULL) {
+ for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) {
+ objtmp = sk_ASN1_OBJECT_value(reject, i);
+ X509_add1_reject_object(x, objtmp);
+ }
+ objtmp = NULL;
+ }
+
+ if (badsig) {
+ const ASN1_BIT_STRING *signature;
+
+ X509_get0_signature(&signature, NULL, x);
+ corrupt_signature(signature);
+ }
+
+ if (num) {
+ for (i = 1; i <= num; i++) {
+ if (issuer == i) {
+ print_name(out, "issuer=", X509_get_issuer_name(x), get_nameopt());
+ } else if (subject == i) {
+ print_name(out, "subject=",
+ X509_get_subject_name(x), get_nameopt());
+ } else if (serial == i) {
+ BIO_printf(out, "serial=");
+ i2a_ASN1_INTEGER(out, X509_get_serialNumber(x));
+ BIO_printf(out, "\n");
+ } else if (next_serial == i) {
+ ASN1_INTEGER *ser = X509_get_serialNumber(x);
+ BIGNUM *bnser = ASN1_INTEGER_to_BN(ser, NULL);
+
+ if (!bnser)
+ goto end;
+ if (!BN_add_word(bnser, 1))
+ goto end;
+ ser = BN_to_ASN1_INTEGER(bnser, NULL);
+ if (!ser)
+ goto end;
+ BN_free(bnser);
+ i2a_ASN1_INTEGER(out, ser);
+ ASN1_INTEGER_free(ser);
+ BIO_puts(out, "\n");
+ } else if (email == i || ocsp_uri == i) {
+ int j;
+ STACK_OF(OPENSSL_STRING) *emlst;
+ if (email == i)
+ emlst = X509_get1_email(x);
+ else
+ emlst = X509_get1_ocsp(x);
+ for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++)
+ BIO_printf(out, "%s\n",
+ sk_OPENSSL_STRING_value(emlst, j));
+ X509_email_free(emlst);
+ } else if (aliasout == i) {
+ unsigned char *alstr;
+ alstr = X509_alias_get0(x, NULL);
+ if (alstr)
+ BIO_printf(out, "%s\n", alstr);
+ else
+ BIO_puts(out, "<No Alias>\n");
+ } else if (subject_hash == i) {
+ BIO_printf(out, "%08lx\n", X509_subject_name_hash(x));
+ }
+#ifndef OPENSSL_NO_MD5
+ else if (subject_hash_old == i) {
+ BIO_printf(out, "%08lx\n", X509_subject_name_hash_old(x));
+ }